Bug 1264005 - when dropping privileges secondary user groups are not loaded
Summary: when dropping privileges secondary user groups are not loaded
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora EPEL
Classification: Fedora
Component: mock
Version: epel7
Hardware: All
OS: Linux
unspecified
medium
Target Milestone: ---
Assignee: Miroslav Suchý
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks: 1292556
TreeView+ depends on / blocked
 
Reported: 2015-09-17 10:05 UTC by Lukas Herbolt
Modified: 2019-09-26 03:08 UTC (History)
6 users (show)

Fixed In Version: mock-1.4.18-1.fc29 mock-1.4.18-1.fc31 mock-1.4.19-1.fc30 mock-1.4.19-1.el8 mock-1.4.19-1.el7
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-09-06 12:58:34 UTC
Type: Bug
Embargoed:

Attachments (Terms of Use)
data for reproducer (23.68 KB, application/x-gzip)
2015-09-17 10:05 UTC, Lukas Herbolt 		no flags Details
View All

Description Lukas Herbolt 2015-09-17 10:05:29 UTC 
Created attachment 1074381 [details]
data for reproducer

Description of problem:
When mock drops privileges it loads only primary group and UID of the user and over
os.setgroups() loads only mockgig  

Version-Release number of selected component (if applicable):
Installed Packages
Name        : mock
Arch        : noarch
Version     : 1.2.12
Release     : 1.el7
Size        : 952 k
Repo        : installed
From repo   : epel


How reproducible:
Well this is an issue if you are going to use mock via retrace server.

Steps to Reproduce:
1. Download attached package 
2. Change owner to be different from your user
3. Change group to be some different from your primary group, bu you must be member of the group

4. ensure all dirs and files have access rights 770
5 run: /usr/bin/mock --configdir <path to the mock config dir> shell

Actual results:

ERROR: Could not find required config file: <path to the config>
ERROR:   Did you forget to specify the chroot to use with '-r'?
ERROR:   If you're trying to specify a path, include the .cfg extension, e.g. -r ./target.cfg


Expected results:

mock chrooted shell 

Additional info:
As written in description.
We are switching from UID/GID 0/0 to USERHELPER_UID. (sudo is not used anymore imho)
UID is correctly recognized as int(os.environ['USERHELPER_UID']).
GID is fine as well, but as other groups we set only mockgid.
We should also append users secondary groups.

---
def setup_uid_manager(mockgid):
    #import pdb; pdb.set_trace()
    unprivUid = os.getuid()
    unprivGid = os.getgid()

    # sudo
    if os.environ.get("SUDO_UID") is not None:
        unprivUid = int(os.environ['SUDO_UID'])
        os.setgroups((mockgid,))
        unprivGid = int(os.environ['SUDO_GID'])

    # consolehelper
    if os.environ.get("USERHELPER_UID") is not None:
        unprivUid = int(os.environ['USERHELPER_UID'])
        os.setgroups((mockgid,))   <<<< 
        unprivGid = pwd.getpwuid(unprivUid)[3]

    uidManager = mockbuild.uid.UidManager(unprivUid, unprivGid)
    return uidManager
---
Something like could be nice (the primary group is listed but it could be removed easily):

>>> user= "lherbolt"
>>> [g.gr_name for g in grp.getgrall() if user in g.gr_mem]
Comment 1 Miroslav Suchý 2019-07-15 15:12:32 UTC 
Fixed in commit c6fe975.

Note that those groups are loaded only when using consolehelper. When environment SUDO_* is set, these secondary groups are not loaded and set.
Comment 2 Fedora Update System 2019-08-08 12:22:54 UTC 
FEDORA-EPEL-2019-b8a4ee539c has been submitted as an update to Fedora EPEL 7. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2019-b8a4ee539c
Comment 3 Fedora Update System 2019-08-08 12:22:55 UTC 
FEDORA-2019-fb9320e658 has been submitted as an update to Fedora 29. https://bodhi.fedoraproject.org/updates/FEDORA-2019-fb9320e658
Comment 4 Fedora Update System 2019-08-08 12:23:02 UTC 
FEDORA-2019-2b689a0720 has been submitted as an update to Fedora 30. https://bodhi.fedoraproject.org/updates/FEDORA-2019-2b689a0720
Comment 5 Fedora Update System 2019-08-09 00:11:06 UTC 
mock-1.4.17-1.el7, mock-core-configs-30.5-1.el7 has been pushed to the Fedora EPEL 7 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2019-b8a4ee539c
Comment 6 Fedora Update System 2019-08-09 00:52:33 UTC 
mock-1.4.17-1.fc30, mock-core-configs-30.5-1.fc30 has been pushed to the Fedora 30 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-2b689a0720
Comment 7 Fedora Update System 2019-08-09 01:36:05 UTC 
mock-1.4.17-1.fc29, mock-core-configs-30.5-1.fc29 has been pushed to the Fedora 29 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-fb9320e658
Comment 8 Fedora Update System 2019-08-17 01:40:11 UTC 
FEDORA-2019-fb9320e658 has been submitted as an update to Fedora 29. https://bodhi.fedoraproject.org/updates/FEDORA-2019-fb9320e658
Comment 9 Fedora Update System 2019-08-27 13:05:42 UTC 
FEDORA-2019-f04222503c has been submitted as an update to Fedora 31. https://bodhi.fedoraproject.org/updates/FEDORA-2019-f04222503c
Comment 10 Fedora Update System 2019-08-27 13:05:51 UTC 
FEDORA-2019-21420476c0 has been submitted as an update to Fedora 30. https://bodhi.fedoraproject.org/updates/FEDORA-2019-21420476c0
Comment 11 Fedora Update System 2019-08-27 13:05:52 UTC 
FEDORA-EPEL-2019-047f59dd65 has been submitted as an update to Fedora EPEL 7. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2019-047f59dd65
Comment 12 Fedora Update System 2019-08-27 13:06:00 UTC 
FEDORA-EPEL-2019-09b55870bc has been submitted as an update to Fedora EPEL 8. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2019-09b55870bc
Comment 13 Fedora Update System 2019-08-29 21:01:14 UTC 
mock-1.4.18-1.fc31 has been pushed to the Fedora 31 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-f04222503c
Comment 14 Fedora Update System 2019-08-29 22:23:48 UTC 
mock-1.4.18-1.el7 has been pushed to the Fedora EPEL 7 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2019-047f59dd65
Comment 15 Fedora Update System 2019-08-30 00:04:12 UTC 
mock-1.4.18-1.fc30 has been pushed to the Fedora 30 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-21420476c0
Comment 16 Fedora Update System 2019-08-30 00:25:18 UTC 
mock-1.4.18-1.fc29 has been pushed to the Fedora 29 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-0b43d7a848
Comment 17 Fedora Update System 2019-08-30 01:38:44 UTC 
mock-1.4.18-1.el8 has been pushed to the Fedora EPEL 8 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2019-09b55870bc
Comment 18 Fedora Update System 2019-09-06 12:58:34 UTC 
mock-1.4.18-1.fc29 has been pushed to the Fedora 29 stable repository. If problems still persist, please make note of it in this bug report.
Comment 19 Fedora Update System 2019-09-10 15:04:24 UTC 
FEDORA-EPEL-2019-dc67f1a15b has been submitted as an update to Fedora EPEL 8. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2019-dc67f1a15b
Comment 20 Fedora Update System 2019-09-10 15:04:32 UTC 
FEDORA-EPEL-2019-48d5120c58 has been submitted as an update to Fedora EPEL 7. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2019-48d5120c58
Comment 21 Fedora Update System 2019-09-10 15:04:41 UTC 
FEDORA-2019-26635f4002 has been submitted as an update to Fedora 30. https://bodhi.fedoraproject.org/updates/FEDORA-2019-26635f4002
Comment 22 Fedora Update System 2019-09-11 02:59:06 UTC 
mock-1.4.19-1.fc30 has been pushed to the Fedora 30 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-26635f4002
Comment 23 Fedora Update System 2019-09-11 04:20:13 UTC 
mock-1.4.19-1.el7 has been pushed to the Fedora EPEL 7 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2019-48d5120c58
Comment 24 Fedora Update System 2019-09-11 06:07:19 UTC 
mock-1.4.19-1.el8 has been pushed to the Fedora EPEL 8 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2019-dc67f1a15b
Comment 25 Fedora Update System 2019-09-14 00:06:01 UTC 
mock-1.4.18-1.fc31 has been pushed to the Fedora 31 stable repository. If problems still persist, please make note of it in this bug report.
Comment 26 Fedora Update System 2019-09-14 16:30:26 UTC 
mock-1.4.18-1.fc31 has been pushed to the Fedora 31 stable repository. If problems still persist, please make note of it in this bug report.
Comment 27 Fedora Update System 2019-09-19 01:30:11 UTC 
mock-1.4.19-1.fc30 has been pushed to the Fedora 30 stable repository. If problems still persist, please make note of it in this bug report.
Comment 28 Fedora Update System 2019-09-26 00:08:55 UTC 
mock-1.4.19-1.el8 has been pushed to the Fedora EPEL 8 stable repository. If problems still persist, please make note of it in this bug report.
Comment 29 Fedora Update System 2019-09-26 03:08:06 UTC 
mock-1.4.19-1.el7 has been pushed to the Fedora EPEL 7 stable repository. If problems still persist, please make note of it in this bug report.
Note You need to log in before you can comment on or make changes to this bug.